Insider Threats, Unintended Consequenses
When you hear the term “Insider Threats”, most people are programmed to think of words like Terrorist; Malicious; Criminal, or some other negative connotation. That’s not to say all Insider Threats are malicious in nature. More often than not, Insider Threats are the unintended consequences of an unassuming, negligent, trusted employee, partner, or otherwise authorized user of your corporate environment, rather than a disgruntled employee who is out for retribution against an employer or has an otherwise malicious agenda seeking a way to make their point.
Insider Threat Policies and Procedures
One of my most common findings within an organization is lack of structure and discipline with regards to accepted use of corporate assets, or even basic policies and procedures. Often times, users are unaware of “Accepted Use Policies”, nor are they aware of the risks associated with proper use and protection of corporate assets. Businesses are growing at the speed of… well… business and it’s to their own detriment that managers and owners are not investing appropriate time to ensure their employees and partners are trained properly and in accordance with their corporate policies and values. It’s tragic to invest so much sweat equity into developing a niche, game-changing widget only to have your competitive edge compromised by an unwitting, unintentional Insider.
So where do you start? First, pull out your binder (either physical or digital) of company policies and procedures, and dust it off. Wait! Whuuuut? You don’t HAVE one? Well, it’s easy to figure out where to start then. You need to begin by developing your Internal Policies and Procedures and begin developing your “norms”, or how you conduct day-to-day operations within your company. In some companies, the P&P are written into their Business Continuity Plan, or can even be an annex thereof. You should begin with a healthy brainstorming session with your leadership team and maybe a mentor. You need to identify your “Crown Jewels”, or Intellectual Property (IP) that distinguishes your company from your competitors. It doesn’t have to be a physical asset, but might be a unique approach or methodical solution to solving a complex problem. Something you need to do to protect your organization against insider threats to ensure you keep your competitive edge.
Do your employees know what your corporate IP is? They should know exactly what is important to the company. They should also know and understand the threat to the IP. If they don’t know the threat, and they don’t know the IP, they won’t know how to protect it against insider threats. The threat is an ever-moving target and security awareness training is extremely important to keep everyone informed of the evolving threat, and specific mitigation strategies associated with insider threats.
Next up, I’ll break down a Policies and Procedure Development Strategy to ensure everyone knows what is expected of them, and how they play an active, vital role in the company’s success.